Stop of logging of No Valid Signature Found
Mark Andrews
marka at isc.org
Tue Feb 26 01:15:11 UTC 2013
In message <512C09F5.4040400 at htt-consult.com>, Robert Moskowitz writes:
> On 02/25/2013 03:25 PM, Robert Moskowitz wrote:
> >
> > On 02/25/2013 02:33 PM, Robert Moskowitz wrote:
> >>
> >> On 02/25/2013 02:00 PM, Casey Deccio wrote:
> >>> On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz
> >>> <rgm at htt-consult.com <mailto:rgm at htt-consult.com>> wrote:
> >>>
> >>> Yes, I know lots of places don't have DNSSEC signed zones.
> >>> **I** have not done mine yet, but I turned on DNSSEC checking
> >>> on my server and I am getting all too many messages like:
> >>>
> >>> validating @0xb4247b50: 117.in-addr.arpa NSEC: no valid
> >>> signature found: 1 Time(s)
> >>> validating @0xb4247b50: 117.in-addr.arpa SOA: no valid
> >>> signature found: 1 Time(s)
> >>>
> >>>
> >>> Yes, but 117.in-addr.arpa *is* signed [1], so if you're not getting
> >>> signatures, that's problematic.
> >>
> >> So that is not good. This is over port 53, right? I have that open
> >> for udp and tcp. My general options section has:
> >>
> >> dnssec-enable yes;
> >> dnssec-validation yes;
>
> digging back in the archive here, I find out this should be
>
> dnssec-validation auto;
Actually it can be either. It's all a matter of how you want to
setup your trust anchors. For private root zones it is absolutely
the wrong thing to do.
> And now I don't have all those false no valid sig messages and I can
> look for the NEXT problem.
>
> >> dnssec-lookaside auto;
> >>
> >> /* Path to ISC DLV key */
> >> bindkeys-file "/etc/named.iscdlv.key";
> >>
> >> managed-keys-directory "/var/named/dynamic";
> >>
> >>
>
>
> --------------040909030006030801080707
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
>
> <html>
> <head>
> <meta content="text/html; charset=ISO-8859-1"
> http-equiv="Content-Type">
> </head>
> <body bgcolor="#FFFFFF" text="#000000">
> <br>
> <div class="moz-cite-prefix">On 02/25/2013 03:25 PM, Robert
> Moskowitz wrote:<br>
> </div>
> <blockquote cite="mid:512BC8D6.2030806 at htt-consult.com" type="cite">
> <meta http-equiv="Context-Type" content="text/html;
> charset=ISO-8859-1">
> <br>
> <div class="moz-cite-prefix">On 02/25/2013 02:33 PM, Robert
> Moskowitz wrote:<br>
> </div>
> <blockquote cite="mid:512BBC82.4080000 at htt-consult.com"
> type="cite"> <br>
> <div class="moz-cite-prefix">On 02/25/2013 02:00 PM, Casey
> Deccio wrote:<br>
> </div>
> <blockquote
> cite="mid:CAEKtLiSLdsWZ8odu6LR+R=-O4sYuSAQVqfnaQMoe8cgyW5vG7Q at mail.gmail.com"
> type="cite"> On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz
> <span dir="ltr"><<a moz-do-not-send="true"
> href="mailto:rgm at htt-consult.com" target="_blank">rgm at htt-consu
> lt.com</a>></span>
> wrote:<br>
> <div class="gmail_quote">
> <blockquote class="gmail_quote"> Yes, I know lots of places
> don't have DNSSEC signed zones. **I** have not done mine
> yet, but I turned on DNSSEC checking on my server and I am
> getting all too many messages like:<br>
> <br>
> validating @0xb4247b50: 117.in-addr.arpa N
> SEC: no
> valid signature found: 1 Time(s)<br>
> validating @0xb4247b50: 117.in-addr.arpa S
> OA: no
> valid signature found: 1 Time(s)<br>
> </blockquote>
> <div><br>
> Yes, but 117.in-addr.arpa *is* signed [1], so if you're
> not getting signatures, that's problematic.<br>
> </div>
> </div>
> </blockquote>
> <br>
> So that is not good. This is over port 53, right? I have
> that
> open for udp and tcp. My general options section has:<br>
> <br>
> dnssec-enable yes;<br>
> dnssec-validation yes;<br>
> </blockquote>
> </blockquote>
> <br>
> digging back in the archive here, I find out this should be<br>
> <br>
> dnssec-validation auto;<br>
> <br>
> And now I don't have all those false no valid sig messages and I can
> look for the NEXT problem.<br>
> <br>
> <blockquote cite="mid:512BC8D6.2030806 at htt-consult.com" type="cite">
> <blockquote cite="mid:512BBC82.4080000 at htt-consult.com"
> type="cite"> dnssec-lookaside auto;<br>
> <br>
> /* Path to ISC DLV key */<br>
> bindkeys-file "/etc/named.iscdlv.key";<br>
> <br>
> managed-keys-directory "/var/named/dynamic";<br>
> <br>
> <br>
> </blockquote>
> </blockquote>
> <br>
> </body>
> </html>
>
> --------------040909030006030801080707--
>
> --===============3835226412723589147==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============3835226412723589147==--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list